How limit Google Federated Login to specific Apps domain?

Question

I want to implement Single Sign-on in a customer's application. The customer has hosted email through Google Apps. As Google offers OpenID, this could be relatively easy to implement. However, the user might not be signed in to the correct Google Account (or even multiple accounts).

So, when using the Google OpenID endpoint https://www.google.com/accounts/o8/id the user is presented with a choice with which Google Account he/she wants to sign-in. As the application will only allow sign-ins from the Google Apps domain, this step could be skipped and should be for increased user experience. I could, however, not find ways to do this. There is this question on SO, but the links are all dead or refer to outdated specs. Also I could not find a hint in the Federated Login for Google Account Users specs.

Some places say one should use https://www.google.com/a/[domain]/o8/ud?be=o8, but that does not seem to work (anymore):

$ wget --header='Accept: application/xrds+xml' https://www.google.com/a/[domain]/o8/ud?be=o8
2012-01-24 09:29:53 ERROR 400: Bad Request.

Answer 1

Although I couldn't find official records, the end point for a specific Google Apps Domain is this:

https://google.com/accounts/o8/site-xrds?hd=<domain>

When using this approach, be aware that you will run into a google-specific modification:

Google changed the way of IdP Discovery and user XRDS check a little bit to give Google Apps users openid in http://example.com/openid?id=108441225163454056756 kind of format without asking the users to build their own openid servers. For small companies, people can get their openid under their domain with as few as just a domain name if they use Google Apps. source